ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Modsecurity | Trustwave | 2.0.0 (including) | 2.9.5 (excluding) |
| Modsecurity | Trustwave | 3.0.0 (including) | 3.0.6 (excluding) |
| Modsecurity | Ubuntu | hirsute | * |
| Modsecurity | Ubuntu | impish | * |
| Modsecurity | Ubuntu | kinetic | * |
| Modsecurity | Ubuntu | lunar | * |
| Modsecurity | Ubuntu | mantic | * |
| Modsecurity | Ubuntu | trusty | * |
| Modsecurity | Ubuntu | xenial | * |
| Modsecurity-apache | Ubuntu | bionic | * |
| Modsecurity-apache | Ubuntu | esm-apps/bionic | * |
| Modsecurity-apache | Ubuntu | esm-apps/xenial | * |
| Modsecurity-apache | Ubuntu | focal | * |
| Modsecurity-apache | Ubuntu | hirsute | * |
| Modsecurity-apache | Ubuntu | impish | * |
| Modsecurity-apache | Ubuntu | kinetic | * |
| Modsecurity-apache | Ubuntu | trusty | * |
| Modsecurity-apache | Ubuntu | upstream | * |
| Modsecurity-apache | Ubuntu | xenial | * |